Hackers-for-hire played key role in JPMorgan, Fidelity breaches

New YORK/SAN FRANCISCO: When US prosecutors this week charged two Israelis and an American fugitive with raking in hundreds of millions of dollars in one of the largest and most complex cases of cyberfraud ever exposed, they also provided an unusual look into the burgeoning industry of criminal hackers for hire.

The trio, who are accused of orchestrating massive computer breaches at JPMorgan Chase & Co and other financial firms, as well as a series of other major offences, did little if any hacking themselves, the federal indictments and a previous civil case brought by the US Securities and Exchange Commission indicate.

Rather, they constructed a criminal conglomerate with activities ranging from pump-and-dump stock fraud to internet casino break-ins and unlicensed bitcoin trading. And just like many legitimate corporations, they outsourced much of their technology needs.

“They clearly had to recruit co-conspirators and have that type of hacker-for-hire,” said Austin Berglas, former assistant special agent in charge of the FBI’s New York cyber division, who worked the JPMorgan case before he left the agency in May. “This is the first case where it’s that clear of a connection.”

Berglas, who now heads cyber-investigations for private firm K2 Intelligence, said additional major cases of freelance hacking will come to light, especially as more people become familiar with online tools such as Tor that seek to conceal a user’s identity and location.

Rented time

This week’s indictments accused a hacker referred to as “co-conspirator 1” of installing malicious software on the servers of multiple victims at the direction of Gery Shalon, the alleged mastermind of the scheme now under arrest in Israel. A second indictment charges a man referred to as John Doe, believed to be in Russia, for an attack on online trading firm E*Trade.

Officials have not said if the co-conspirator and John Doe were the same person, or even if the FBI knows their true identities.

Law enforcement and computer security officials say that outsourced cybercrime services — including rented time on networks of previously compromised personal computers and custom break-ins – are most readily found on underground Russian-language computer forums, where skilled attackers advertise their services.

The forums are tight-knit communities where newbies must be vouched for by multiple known members and pay membership fees that cost thousands of dollars, said Daniel Cohen, who oversees an undercover team at EMC Corp’s RSA Security that monitors the forums.

“You can find anything you want for an operation. Hackers, servers, software, code writing. They are all available,” said Cohen. Individuals hide their identities even from each other, making infiltration and arrests rare.

In this case, the ringleaders are accused of hiring hackers to steal contact information and other data that they then used to help convince ordinary investors to buy little-regulated stocks. Prosecutors have not disclosed how the hackers were compensated.

Fees vary greatly in the cyber-underground, depending on the complexity of the assignment and supply of talent available to do a particular job. Elite hackers who pull off the most technically challenging attacks might get a percentage of profits, while others might earn an hourly rate or get paid a few thousand dollars for winning access to a target’s network, researchers said.

Pump-and-dump

All three of those accused this week — Shalon, Joshua Samuel Aaron, who is at large, and Ziv Orenstein, who is also in jail in Israel — began promoting penny stocks before the hacks took place, according to US government claims.

They used websites including Pennystockdiscoveries.com and Stockcastle.com to send emails as part of a scheme in which they invested in penny stocks, spread false information to boost their prices, and then sold them to make windfall profits, according to an SEC suit filed in July.

In one case in early 2012, the SEC claims that they used the website Stockcastle.com to promote shares in Mustang Alliances Inc, reaping $2.2 million, the largest pump-and-dump cited in the regulator’s lawsuit. In March of that year, the British Virgin Islands Financial Services Commission issued an alert warning that two entities tied to Stockcastle were falsely claiming to be registered in the territory.

That same year, the enterprise began a massive hacking spree to get contact information for investors who might be good targets, according to prosecutors. By the end of 2013 they had ordered up six hacks that provided data on tens of millions of customers, prosecutors said.

They hit the mother lode in 2014 when they attacked three other firms, and stole data on 83 million customers from JP Morgan alone, prosecutors said.